Pyrus Install

Download

* Fixed Bug #9241: Callback functions where being passed a copy of
the login object instead of a reference to it under PHP4.
* Fixed Bug #9286: Comparison of passwords and their hashes could give
false positive.

Pyrus Install

Download

* Added new SOAP container that makes use of the PHP5 SOAP Client. Thanks to
Marcel Oelke <puRe at rednoize dot com>. Fixes #2612.
* Added support for trying all the user accounts returned from an LDAP server
not just the first one so as to support authenticating against Lotus Notes
which allows identical usernames where the only difference is the password.
Fixes #5365.
* Added new Array container for simple authentication setups where it's easier
to list users in the file than setup some sort of backend. Thanks to
georg_1 at have2 dot com. Fixes #5832.
* Added KADM5 container that makes use of the PECL kadm5 extension to
authenticate against Kerberos 5 servers. Thanks to Andrew Teixeira
<ateixeira at gmail dot com>. Fixes #6671.
* Fixed #8597. Remove references to $GLOBALS['HTTP_*_VARS'] now that we require
PHP 4.3.3+ for other reasons.
* Added SAP container that makes use of the SAPRFC extension available from
http://saprfc.sourceforge.net/. Thanks to Stoyan Stefanov <ssttoo at gmail dot com>.
Fixes #8637.
* Fix #8599. Allow identifier quoting in DB, DBLite, MDB and MDB2 backends to
be switched off by developer.
* Fix Bug #8732: Auth_Container_DB having problems with SQLite databases.
SQLite returns the name of quoted field names including the quotes instead
of stripping the quotes like all other DBs.
* Fix Bug #8735: Auth_Container_File::addUser() working on different instances
of File_Passwrd object.

Pyrus Install

Download

* Fix Bug #8732: Auth_Container_DB having problems with SQLite databases.
SQLite returns the name of quoted field names including the quotes instead
of stripping the quotes like all other DBs.
* Fix Bug #8735: Auth_Container_File::addUser() working on different instances
of File_Passwrd object.

Pyrus Install

Download

* Added new SOAP container that makes use of the PHP5 SOAP Client. Thanks to
Marcel Oelke <puRe at rednoize dot com>. Fixes #2612.
* Added support for trying all the user accounts returned from an LDAP server
not just the first one so as to support authenticating against Lotus Notes
which allows identical usernames where the only difference is the password.
Fixes #5365.
* Added new Array container for simple authentication setups where it's easier
to list users in the file than setup some sort of backend. Thanks to
georg_1 at have2 dot com. Fixes #5832.
* Added KADM5 container that makes use of the PECL kadm5 extension to
authenticate against Kerberos 5 servers. Thanks to Andrew Teixeira
<ateixeira at gmail dot com>. Fixes #6671.
* Fixed #8597. Remove references to $GLOBALS['HTTP_*_VARS'] now that we require
PHP 4.3.3+ for other reasons.
* Added SAP container that makes use of the SAPRFC extension available from
http://saprfc.sourceforge.net/. Thanks to Stoyan Stefanov <ssttoo at gmail dot com>.
Fixes #8637.
* Fix #8599. Allow identifier quoting in DB, DBLite, MDB and MDB2 backends to
be switched off by developer.

Pyrus Install

Download

* Fixed Bug #8524: Notice from attempting to perform string operation on what
might be an array in DB, DBLite, MDB and MDB2. Thanks to dozoyousan at gmail
dot com.
* Remove debug message from RADIUS Container when using CHAP_MD5 or MSCHAPv1
style passwords. Thanks to Stoyan Stefanov <ssttoo at gmail dot com> for
pointing out this 3yr old bug.

Pyrus Install

Download

This release candidate is test the numerous fixes described below. It is also
to get feedback on the change made for Bug #8407. Bug #8407 adds automatic
quoting of table and field names used in SQL in the Database backends.

Numerous other small fixes and improvements to all storage containers thanks
to the following people: Matt Eaton, Jeroen Houben, Cipriano Groenendal,
Markku Turunen, Matthew Van Gundy, marc at practeo dot ch and I'm sure many
others that have contributed over the years it's taken to get this release
out.

Pyrus Install

Download

This release is primarily a coding standard clean-up before the 1.3.0 final
release.

In addition the following improvements to the LDAP Container where supplied
by Hugues Peeters <hugues.peeters@claroline.net>.
* Changed default attrformat to AUTH so that loaded attributes are
presented in the same format as other backends provide.
* Added compatibility support to 1.2 style configuration options
* Attributes option now accepts a comma seperated string as well as
as array the same as db_fields in the DB, MDB and MDB2 backends.

Finally there are additional checks that the relevant PHP module is loaded
when loading the IMAP and VPOPMail Containers.

Pyrus Install

Download

This is hopefully the final release candidate before 1.3.0. Please test.

* MDB & MDB2 Backends: Start DB object before using quoting features in all
functions.
* Updated test cases. Passes all tests for DB, MDB and MDB2.
* Fixed Bug #6851: Double quotes caused by incorrect use of DB::quoteSmart()
and developer being asleep at his computer.

Pyrus Install

Download

This release fixes a security issue that allows an attacker to perform
injection attacks against the underlying storage containers. Upgrading
is strongly recommended if you are using beta releases of the Auth
package.

* Improved parameter validation in the DB and LPAP containers. (Patch
provided by Matthew Van Gundy.)
* Fixed Bug #3101: Wrong variable names in Auth/Container/File.php (mike)
* renamed supportsChallengeResponce() to supportsChallengeResponse()
in the DB container (quipo)
* Fixed Bug #4347: recognition of DB and MDB objects passed as dsn
* Fixed Bug #6324: updated MDB2 container
* Fixed Bug #5174: "Only variable references should be returned by reference"
bug in _factory()
* Fixed Bug #2446: english language typos.
This results in a BC break for any custom containers that have implemented
supportsChallengeResponce(). Also all containers already
supportsChallengeResponse() instead of supportsChallengeResponce() and
therefore the call in Auth_Frontend_Html always called the default
implementation and not the container implementation.

Pyrus Install

Download

* Moved login screen generation code to Auth/Frontend/Html.php
In the future the frontend will be configurable.
* Implemented support for Challenge / Responce password authenthication
have to enable advanced security $auth->setAdvancedSecurity
will work only with DB container and cryptType = none|md5
* Implemented setAllowLogin to control which pages are allowed to perform login,
to preservce BC. Previusly the showLogin flag was used to control this - yavo
* Implmented lazy loading for the storage constructor, constructor is only created when needed
to make Auth more lightweight (this might be adding a bit more overhead to login and usermanagement functions)
* Removed include of PEAR, was not used anywhare in Auth.php
* Created a new storage container DBLite same as DB but with the user manipulation functions removed (50% smaller)
* Added a new method staticCheckAuth which can be called statically with only the auth options
* Auth::importGlobalVariable method was removed and replaced by references to global variables
* Removed all calls to $session[$this->_sessionName], made local reference session point to that instead
* Changed call_user_func to call_user_func_array for the callbacks, to avoid using @ for passing variables by reference
* Code Cleanup, removed most vi comments

Pyrus Install

Download

* Moved login screen generation code to Auth/Frontend/Html.php
In the future the frontend will be configurable.
* Implemented support for Challenge / Responce password authenthication
have to enable advanced security $auth->setAdvancedSecurity
will work only with DB container and cryptType = none|md5
* Implemented setAllowLogin to control which pages are allowed to perform login,
to preservce BC. Previusly the showLogin flag was used to control this - yavo
* Implmented lazy loading for the storage constructor, constructor is only created when needed
to make Auth more lightweight (this might be adding a bit more overhead to login and usermanagement functions)
* Removed include of PEAR, was not used anywhare in Auth.php
* Created a new storage container DBLite same as DB but with the user manipulation functions removed (50% smaller)
* Added a new method staticCheckAuth which can be called statically with only the auth options
* Auth::importGlobalVariable method was removed and replaced by references to global variables
* Removed all calls to $session[$this->_sessionName], made local reference session point to that instead
* Changed call_user_func to call_user_func_array for the callbacks, to avoid using @ for passing variables by reference
* Code Cleanup, removed most vi comments

Pyrus Install

Download

* Added an Auth_Controller class, to manage automatic redirection to login page and redirect back
to the calling page [04/06/2004 - Yavo]
* Changes to LDAP container:
- additional attribute fetching to authData via new option attributes
- utf8 encoding username for ldapv3 (fixes german umlaut problem)
- make scope definable for user and group searching seperately
- remove useroc, groupoc and replace them with userfilter, groupfilter which is way more flexible
- updated documentation on all new and changed parameters
As some of the parameters changed this one is not backwards compatible to earlier versions.
Look at the top of the class where all parameters are explained in detail.
[08/April/2004 - jw]
* Added new MDB2 container [30/March/2004 - quipo]
* Implements changePassword and CS fixed, patch from Cipriano Groenendal <cipri@cipri.com>
[29/March/2004 - yavo]
* Added options for changing the post variables, patch supplied by Moritz Heidkamp <moritz.heidkamp@invision-team.de>
[03/March/2004 - yavo]
* Added method setAdvancedSecurity and set advanced security to off by default, if turned on auth will perform additional
security checks if ip or user agent has changed across requests
* Login is now performed only if showLogin is true, do not allow for logins to be performed from any page which calls auth->start
spotted by Matt Eaton <pear@divinehawk.com> [16/Jan/2004 - yavo]
* Fixed bug noted by Jeroen Houben <jeroen@terena.nl>, calling loginFailedCallback
would not have the proper status set [16/Jan/2004 - yavo]
* Added PEAR container, authenticate the user against the pear web site
(probably php.net also) [16/Dec/2003 - yavo]

Pyrus Install

Download

* new Method to auth_container getUser()
* New Auth_Container_File, using new File_Passwd class. Provided by Michael Wallner <mike@php.net>
* Login/Logout callbacks now get a reference to auth
* New Login Failed Callback added (method setFailedLoginCallback)
* SOAP container patch to keep a reference to the Soap responce by Bruno Pedro <bpedro@co.sapo.pt>
* Auth is now installed in /pear-dir/Auth.php instead of /pear-dir/Auth/Auth.php, an
empty file /pear-dev/Auth/Auth.php wich includes Auth.php is added for BC
* The contaner now gets a reference to the auth object ($auth->storage->_auth_obj)
*Some patches from the pear-dev list bellow
-maka3d@yahoo.com.br - Patch to use a method of the container in Auth_Container::verifyPassword
-Lorenzo Alberton <l.alberton@quipo.it> - Patch to use variable session variable name, untill now the variable auth was used
-Marcos Neves <maka3d@yahoo.com.br> - Avaoid error when calling getAuthData() before the login

* Added new methods setAuthData() and getAuthData() that allow to write
and read additional data into/from the session pool.

* Improved internal handling of session variables.

* Instead of sticking to md5 as the password encryption method, one
can now choose between standard Unix DES-based encryption algorithm,
md5 hashing and using plain text passwords. Please note that the
last option is a security risk and shouldn't be used unless you
*really* now what you are doing.

* Database storage container: Only open connection to SQL server if it
is really necessary. This speeds up the whole process in a lot of
situations.

Pyrus Install

Download

This release includes a new function setSessionname, that allows
the user of the package to change the name of the session to
a value different than default ("PHPSESSID"). This is useful, if
one uses two different auth systems on the same domain.

* Via the function setShowLogin() it is possible to create sites
that have an optional login function, that makes it possible
to create parts of the site without authentication and the
rest only when the user has been authenicated.